GhostNet, Social Malware, Spear Phishing and Social Engineering

Over the last few weeks, I’ve done a lot of talking with friends and colleagues about “GhostNet“. That’s the name given by some Canadian security researchers to an enormous “spy network” of computers worldwide, used to gather sensitive information from places like the offices of the Dalai Lama and the Indian Embassy here in Washington, D.C. While one set of researchers said that it was not conclusive that it was China that was behind the intrusions, another group pointed a finger directly at China and the PLA. The two reports are as follows:

The reason I have been talking about it so much is because this is an issue that is near and dear to my heart, and has been for several years. I was unaware of the fact that these security researchers were writing these reports, but I have been following the Tibetan malware issue since the news broke of it last year. In March of 2008, I posted the following as a front page post to MetaFilter:

The recent cyber attacks on pro-Tibet groups in the U.S. (attack details, technical data) and on the Save Darfur Coalition, among others, have managed to catch the attention of some in the mainstream media. Such super-targeted spear phishing attacks have been on the rise for several years, and have become an important tool for corporate espionage and military infiltration attempts. Teaching users to recognize such attack emails is probably the most effective deterrence, as technology solutions have shown to not be particularly effective. Some companies and government agencies even conduct sting operations to ferret out which internal users fail the test, targeting them for additional training.

The reason that I wanted to highlight this general issue of socially engineered and specifically targeted malware is that it’s something that affects me on a regular basis. Since late December, 2006, we have noted similar types of attacks where I work (I work on Taiwan issues in Washington, D.C.). After looking into it in more detail (in old Outlook files from past employees), I have seen instances of this type of stuff going back to as early as 2003. But in 2006 was when we began noticing a pattern of emails that contained malware-infested attachments but that seemed very, very well written and targeted towards the kinds of topics that my colleagues and I would be interested in.

It began with things like “here is an update on our new board members” or “here is the contact information we have for you, please update and send back” supposedly sent from organizations that we were working with on various projects. They were almost good enough to fool us, but the tone and content of the emails rang false enough that we became suspicious. I began systematically tracking these emails, in an effort to see what on earth was going on. Early on, they were mostly Word files, but that has since changed to become primarily PDF files, and sometimes zip files with .chm (a special type of html files developed by Microsoft for online help documents) files included. Usually they come attached to the targeted email, but sometimes those emails just contain links to outside files hosted on hacked webservers.

Then in the spring of 2007, the non-profit that I work for was used as the “sender” in a big email blast with malicious attachments that really put us on notice that this was going on. That’s when I started talking to the people in the community about this, and when we started blowing the whistle on this issue to our contacts within the U.S. government (including the State and Defense departments, etc.).

Our good name and reputation has been used many times since then to try to spread malware. It is incredibly frustrating and scary to see your name and email address used in the from and signature fields in an email that you did not send – an email that contained a trojan-infected attachment, and that then went out to lots of people you work with and some you only know by reputation. It’s usually worse because it’s generally an email that you could potentially have sent out (in my case, usually something about the Taiwan defense conference I plan each year), so they must be watching you in some manner. For example, my name is on the press releases we send out from the organization, so that is an easy vector for people to figure out what I’m working on.

In November of 2007, I posted about that particular spring 2007 incident on Ask MetaFilter as well, to answer a question about spear phishing – that’s before the term “social malware” came into use to describe this kind of socially-engineered malware attack. I also included in that comment another example from around that time:

Is spear-phishing different from regular phishing?
I thought I’d elaborate because it’s a huge issue for me. It’s also a really insidious social engineering technique that not enough people are aware of. [Spear phishing is] a targeted attack towards a company/organization/government entity, and is a lot harder to spot than “normal” phishing.

Let me give you an example. I work on China/Taiwan issues in Washington, D.C. Each week, my (small but prominent) non-profit distributes a newsletter via email to a small audience that consists of government officials, think tank analysts, defense company executives, etc. One day this spring I got an email that mimicked exactly the email we had sent out the week before, which happened to contain an unusually interesting newsletter. It looked just like it, with the exception being that the correctly-named attachment was a Trojan-infected Word document rather than our normal PDF file. [1. Screen shot of the original, real email sent out by the Council, with a PDF newsletter attachment. 2. Screen shot of the fake email spoofing the Council as sender, mimicking the original but substituting a malware-infected Word attachment.] This email was distributed to a huge group of people with an interest in China/Taiwan, a lot of whom are familiar both with the organization and with the newsletter itself, even if they are not on the normal distribution list. I don’t even want to think about how many people fell for that.

One more example. A non-profit in D.C. held a seminar on safety issues with Chinese imports (i.e. lead paint on toys, etc.) that I was invited to but did not attend. The next day, I received an email from that think tank with a Word attachment billed as an event summary and analysis written by the program director. Ah, so tempting to read! But it just so happens that I correspond with the program assistant often, and the tone of the email was all wrong. Once I started to look into it, the email header was way off, and the attachment, I wasn’t surprised to find, contained a Trojan.

We have seen such an increase in these kinds of spear phishing attacks this year that nobody in my office opens any attachments without checking email headers and/or doing malware scans first. We are extremely diligent, but that’s easy to do with a small staff. Let’s just say that I wasn’t surprised to read about the recent issues at the Department of Commerce and at DoD… Sorry, more than you ever wanted to know. It’s an important issue, though, and more people should know about it.

Around that time, I had also been talking to Robert Lemos, a tech reporter covering the story of supposed Chinese cyber attacks on Germany. He quoted me in a story called “China on hot seat over alleged hacks“, which ran in September 2007 (the incidents I described took place in 2007, though, not 2006). It was also around that time that I began working with Maarten Van Horenbeeck, an incident handler at the SANS Internet Storm Center and a security researcher who has been working on these types of attacks for a long while. Maarten has been fantastic to work with, and he has been able to do some analysis of the malware that we receive on a regular basis. Like I keep telling him, I feel like we are at least fighting back to a certain extent, just because at least we can feed data on our ongoing issues with these type of social malware attacks to people like Maarten, who can then gather that data and hopefully use it to help us and others.

It really is quite amazing that these types of attacks are so relentless and widespread. I posted about some of my more recent experiences with these types of social malware attacks to the March 29, 2009 MetaFilter thread on GhostNet:

I have posted before about the Tibetan attacks, because they offer good insights into this issue in general. But it’s not just the Tibetan activists and other outspoken critics of the Chinese regime that are targeted by this “GhostNet”. I work on Taiwan/China issues in Washington, D.C. Pretty much everyone in that community – be it academics, think tankers, NGO employees, and government officials – are consistently targeted by the kind of “social malware” attacks that are detailed in the two reports. These attacks are very sophisticated, making them really hard to spot, and they show intimate knowledge of what’s going on in the community. Let me give you two recent examples:

On March 26, the Pentagon released their annual report on the Chinese military. On March 27, I received an email ostensibly from one of the people responsible for Taiwan issues at the Pentagon. The email basically said “Hey, here is the expanded version of the report from yesterday, with some additional commentary on Taiwan. I thought you would find it useful”. Attached was a PDF named “China_Military_Power_Report_2009.pdf”, exactly like the official document released by the Pentagon. I work on Taiwan defense issues, so this would be very interesting to me were it real. However, I correspond with this person on a regular basis, and he usually signs his emails to me with his nickname. This email didn’t, which made me suspicious. A Virustotal scan confirmed that the attachment contained malicious software (only detected by 4/38 products, though) and a quick phone call confirmed that the person hadn’t sent an email like that.

In another recent attack, it was the name of the head of my organization that was used to try to trick recipients into opening malicious attachments. He had just returned from a visit to Taiwan, a trip that had been reported on in the Taiwan press. About a week after returning, he received an inquiry from a prominent researcher at a D.C. think tank, asking if he had sent the researcher an email with a trip report from his visit. He had not in fact sent such an email, although it wouldn’t have been unusual for him to do so. I spoke to the IT manager at the think tank, who confirmed that the researcher was indeed tricked into opening the attachment, and that it did contain malware.

And this was just in the last three weeks. I could go on for pages describing various things we have seen over the past two/three years … but you get the gist. For small NGOs like mine, protecting against infiltration, monitoring our systems for intrusions, and educating our staff to recognize potential hazards has become a huge drain on our already limited resources. The frustrating thing is that there is pretty much nothing we can do about it, except to remain diligent. But at least I’m glad that the issue is continuing to get coverage in the mainstream press.

So you can see that this is something that I have thought in depth about. We are also taking steps where I work to try to guard against these types of issues. But at least the difference between today and late 2006 is that pretty much everyone I know in the Taiwan-watching community are well aware of these types of emails, so hopefully they will cease to be effective at some point.

Update: I thought I would add a few examples of targeted attack emails here, to show just how well done these fake social malware emails are. I went through the huge amounts of data that I collected and pulled out a representative sample of the types of emails we are seeing. Most of these either had attachments that contained malware, or linked to files online that were malware infested. I have been adding more examples for a while, particularly if they are extra interesting or well done.

However, the list of examples just got too lengthy and unwieldy. So I’ve started a separate microblog on Tumblr to just post these examples. The Targeted Email Attacks blog now has the examples that I used to post here.

Additional Resources

A few people within the community has written about this issue as well. Here are a few additional resources:

The USCC also held a hearing that covered this issue (which was good, I attended). The hearing transcript is quite interesting as well, particularly the testimony of James Mulvenon.

Jim says “And finally, part of my bona fides today is that I am also a victim on a regular basis of Chinese cyber warfare. Most of the China specialists in the Washington, D.C. area on a regular basis for the last 18 to 24 months have been receiving in many cases clumsily crafted with bad Chinglish e-mails but with very potent malware attached to them that is designed, in my view, to exploit possibly some of the sensitive but unclassified material that might be on our machines about the daily workings of what we do here in Washington.“

If you read the transcript, you will see that one of the Commissioners – Dan Blumenthal – also says “I’m Commissioner Blumenthal and I too have been a victim of Chinese cyber crime in the interest of full confessional, and I have an appetite for vengeance myself, but I’m sublimating it.” These comments are funny to me (both those guys are super nice, really good people) but it also shows the extent of this problem in our community. Actually, the USCC has scheduled a hearing on this topic later this month (update: PDF transcript here), and have commissioned a paper on the topic as well, which will be out later this year.

Update: The paper is called “Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation” and was published on the USCC website on October 22, 2009. Dowload PDF Report.

Update: On November 20, 2009 the USCC published their 2009 annual report, which covers their research on this issue. See the chapter entitled “China’s Cyber Activities that Target the United States, and the Resulting Impacts on U.S. National Security.”

The Dark Visitor
Book written by Scott Henderson, which is a great look into the Chinese hacker society. The title of the book is also the title of his blog with some colleagues, a great resource.